On Wednesday, Apple CEO Tim Cook appeared on a TV interview with ABCNews, defending Apple's stance on the refusal to comply with an FBI order (covered previously on InfoQ). On Thursday, Apple filed a motion to vacate the order filed by the FBI – see the update at the bottom of the article. The TV interview has since been promoted on Apple's TV channels on their eponymous set top boxes.
In the interview, Tim Cook claims that this is akin to introducing a virus into the iOS ecosystem:
It's not like we have information on this phone in the next office over. We have no other information on this phone. None.
The only way we know to get additional information is to write a piece of software that is the software equivalent of cancer. That is what is at stake here.
This follows up on a set of answers published by Apple to address specific issues raised by others in response to the case, in which Apple acknowledged that there is nothing stopping them complying with the order from a technical perspective:
Is it technically possible to do what the government has ordered?
Yes, it is certainly possible to create an entirely new operating system to undermine our security features as the government wants. But it’s something we believe is too dangerous to do. The only way to guarantee that such a powerful tool isn’t abused and doesn’t fall into the wrong hands is to never create it.
Although the device is locked with a passcode, the Device Firmware Upgrade mode can be used to upgrade an existing version of the operating system with a newer version, even if it is locked. Unlike a factory reset, which removes the key associated with the data's encryption, an upgrade from one version of the software to the latest (signed) version is possible even when locked, and without entering the PIN. This corrects earlier information where it was speculated that the PIN input would be required to achieve this.
The ability to upgrade otherwise inoperable devices has been put to use this week as a resolution of the Error 53 message reported by some users when upgrading to the latest version of the operating system. This error message was created to indicate a fault in the construction pipeline rather than a user visible prompt, and so the fact that it turned up on so many devices at once was an indication that the detection was too robust. After initially remaining silent on the issue, Apple published a support document and has provided an update to iOS 9.2.1 that can be applied via the DFU upgrade method, without losing data.
As a result, for this specific phone, Apple could fabricate a version of the operating system which claimed to be a newer version than what is currently present and use that to replace the contents of the software to permit disabling the delay between PIN entries and/or other means of accessing. However, Apple cautions that it would not be possible to limit it to a single device:
Could Apple build this operating system just once, for this iPhone, and never use it again?
The digital world is very different from the physical world. In the physical world you can destroy something and it’s gone. But in the digital world, the technique, once created, could be used over and over again, on any number of devices.Law enforcement agents around the country have already said they have hundreds of iPhones they want Apple to unlock if the FBI wins this case. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks. Of course, Apple would do our best to protect that key, but in a world where all of our data is under constant threat, it would be relentlessly attacked by hackers and cybercriminals. As recent attacks on the IRS systems and countless other data breaches have shown, no one is immune to cyberattacks.
Again, we strongly believe the only way to guarantee that such a powerful tool isn’t abused and doesn’t fall into the wrong hands is to never create it.
If the FBiOS version is created, it won't be long before it is made available through other means, either through official channels and requests or unofficial ones.
Apple has also addressed the claims that they are doing this for PR reasons and that they are explicitly blocking the FBI from doing their job and/or are supporters of criminals, to which Apple takes offence.
Apple #privacy pic.twitter.com/vsbUWdIdou
— InfoQ (@InfoQ) 22 February 2016
Is there any other way you can help the FBI?
We have done everything that’s both within our power and within the law to help in this case. As we’ve said, we have no sympathy for terrorists.
We provided all the information about the phone that we possessed. We also proactively offered advice on obtaining additional information. Even since the government’s order was issued, we are providing further suggestions after learning new information from the Justice Department’s filings.
One of the strongest suggestions we offered was that they pair the phone to a previously joined network, which would allow them to back up the phone and get the data they are now asking for. Unfortunately, we learned that while the attacker’s iPhone was in FBI custody the Apple ID password associated with the phone was changed. Changing this password meant the phone could no longer access iCloud services.
As the government has confirmed, we’ve handed over all the data we have, including a backup of the iPhone in question. But now they have asked us for information we simply do not have.
As many in the technology industry have stood behind Apple with its firmware requests, and some of those objecting have withdrawn their demands, it seems that the general consensus is forming behind Apple rather than the FBI. After initial reports that Bill Gates was supportive of the FBI based on an interview with the Financial Times, he clarified his thoughts in a subsequent interview with Bloomberg he suggested that it is a matter for the courts, and not for him to opine.
Apple has offered to come to a commission formed of panels of experts from both the intelligence and technology communities, which is something that has been proposed by the energy and commerce bi-partisan committee:
What should happen from here?
Our country has always been strongest when we come together. We feel the best way forward would be for the government to withdraw its demands under the All Writs Act and, as some in Congress have proposed, form a commission or other panel of experts on intelligence, technology, and civil liberties to discuss the implications for law enforcement, national security, privacy, and personal freedoms. Apple would gladly participate in such an effort.
Whatever happens from here, security on iOS devices is going to come under greater scrutiny. Although the iPhone in this case didn't have the secure enclave (a co-processor that is used to handle the password and unlocking controls of an iPhone), it transpires that the firmware for the secure enclave can also be updated using this method. Mike Ash has written extensively about the secure enclave on his Friday Q&A blog. (In the interests of full disclosure, the author of this article was a reviewer for his published Q&A book.)
As a result, Apple is said to be doubling down on the security for future iPhones and versions of the operating system. Whether this will apply to existing devices, or whether the firmware for the secure enclave will be prevented from being upgraded in the future (or at least upgraded without a PIN entry) remains to be seen. A report from Reuters suggests that Apple will be working harder to make iPhones and iOS versions that are immune to the kind of backdoors proposed for this particular device, although this was unconfirmed by Apple. It is, however, likely that this year's release of the iPhone 7 will introduce new security features as a response to these events, regardless of the outcome of this particular case.
Update 26 Feb - Apple files motion to vacate
Apple's legal council has filed a Motion to Vacate the order to compel Apple's assistance with the FBI, claiming that the order is unconstitutional:
This is not a case about one isolated iPhone. Rather, this case is about the Department of Justice and the FBI seeking through the courts a dangerous power that Congress and the American people have withheld: the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe. The government demands that Apple create a back door to defeat the encryption on the iPhone, making its users' most confidential and personal information vulnerable to hackers, identity thieves, hostile foreign agents and unwarranted government surveilance.
The All Writs Act, first enacted in 1789 and on which the government basis its entire case, "does not give the district court a roving commission" to conscript and commandeer Apple in this manner. In fact, no court has ever authorized what the government now seeks, no law supports such unlimited and sweeping use of the judicial process, and the Constitution forbids it.
The government's reply is due by the 10th of March, and the hearing has been scheduled for the 22nd of March in California. Other technology companies such as Google's parent Alphabet, Facebook, and Microsoft also plan to file legal briefs to support Apple according to a report by the Wall Street Journal. Other prominent figures such as the Reverent Jesse Jackson have also supported the motion.